Flashback trojan reportedly controls half a million Macs and counting

The Mac Flashback trojan has reportedly infected more than half a million Macs …

Variations of the Flashback trojan have reportedly infected more than half a million Macs around the globe, according to Russian antivirus company Dr. Web. The company made an announcement on Wednesday—first in Russian and later in English—about the growing Mac botnet, first claiming 550,000 infected Macs. Later in the day, however, Dr. Web malware analyst Sorokin Ivan posted to Twitter that the count had gone up to 600,000, with 274 bots even checking in from Cupertino, CA, where Apple's headquarters are located.

We have been covering the Mac Flashback trojan since 2011, but the most recent variant from earlier this week targeted an unpatched Java vulnerability within Mac OS X. That is, it was unpatched (at the time) by Apple—Oracle had released a fix for the vulnerability in February of this year, but Apple didn't send out a fix until earlier this week, after news began to spread about the latest Flashback variant.

According to Dr. Web, the 57 percent of the infected Macs are located in the US and 20 percent are in Canada. Like older versions of the malware, the latest Flashback variant searches an infected Mac for a number of antivirus applications before generating a list of botnet control servers and beginning the process of checking in with them. Now that the fix for the Java vulnerability is out, however, there's no excuse not to update—the malware installs itself after you visit a compromised or malicious webpage, so if you're on the Internet, you're potentially at risk.

Oracle had released a fix for the vulnerability in February of this year, but Apple didn't send out a fix until earlier this week, after news began to spread about the latest Flashback variant.

This sort of thing is unacceptable, and hopefully this acts as a bit of a wakeup call to Apple. They have a decently secure core to work with, but they've gotten lazy on the Mac side, something that can fell anyone.

"On execution, the malware checks if the following path exists in the system: * /Library/Little Snitch...If any of these are found, the malware will skip the rest of its routine and proceed to delete itself."

I've been using Macs constantly since 1984, and I have to say this is the biggest (maybe only) severe malware problem I can remember. 600,000 Macbots is completely unprecedented.

Yeah, but iOS' popularity is a relatively new phenomenon. Mac has largely survived on protection by obscurity, but the rapidly growing number of Mac users is going to wreck that form of protection. When you couple that with the fact that most Mac users have been led to believe (by Apple's marketing) that Macs cannot be infected with malware, you're going to start seeing a lot more malware designed for the iOS market.

My wife's first gen core duo macbook pro hard drive is always busy, which i thought was due to limited hard drive space. Even after cleaning out ~15 gigs of space, the OS is slow and often unresponsive, and the HD is clickety clacking all the time. I sure hope I don't have it. I'm going to check first thing when I get home. Has anyone's machine here tested positive? If so, does this sound familiar?

I've been using Macs constantly since 1984, and I have to say this is the biggest (maybe only) severe malware problem I can remember. 600,000 Macbots is completely unprecedented.

Yeah, but iOS' popularity is a relatively new phenomenon. Mac has largely survived on protection by obscurity, but the rapidly growing number of Mac users is going to wreck that form of protection. When you couple that with the fact that most Mac users have been led to believe (by Apple's marketing) that Macs cannot be infected with malware, you're going to start seeing a lot more malware designed for the iOS market.

iOS devices outnumber Macs. Macs are still a small fraction of overall PCs out there. The security through obscurity is bullshit.

Well, I don't know about viruses, but it can get trojans...which is what this is.

You are correct, but to the vast majority of people there's no difference. When they see an Apple ad saying macs don't get viruses, they take it to mean a mac can't be infected, period, which is clearly not true.

Personally I'm sad to see this type of thing finally happening (even though I always thought it would). Now I have to start being as paranoid about my mac as I am about my windows box.

Any idea what, specifically, this trojan causes your computer to do? My ex-GF seemed to believe she was invincible on a Mac and has recently been spamming my email with ads (*suspicious*) from her email address.

My wife's first gen core duo macbook pro hard drive is always busy, which i thought was due to limited hard drive space. Even after cleaning out ~15 gigs of space, the OS is slow and often unresponsive, and the HD is clickety clacking all the time. I sure hope I don't have it. I'm going to check first thing when I get home. Has anyone's machine here tested positive? If so, does this sound familiar?

Sounds to me like your HD might be pining for the fiords. I hope you have it backed up.

Any idea what, specifically, this trojan causes your computer to do? My ex-GF seemed to believe she was invincible on a Mac and has recently been spamming my email with ads (*suspicious*) from her email address.

Is it a webmail account like yahoo or hotmail? Those can get hacked regardless of what type of computer is normally used to access them, especially if the account isn't protected by a strong password.

Any idea what, specifically, this trojan causes your computer to do? My ex-GF seemed to believe she was invincible on a Mac and has recently been spamming my email with ads (*suspicious*) from her email address.

From the linked F-Secure page (which you should really read if you're curious):

Quote:

If infection is successful, the malware will modify the contents of certain webpages displayed by web browsers; the specific webpages targeted and changes made are determined based on configuration information retrieved by the malware from a remote server.

InstallationOn execution, the malware checks if the following path exists in the system:

/Library/Little Snitch/Developer/Applications/Xcode.app/Contents/MacOS/Xcode/Applications/VirusBarrier X6.app/Applications/iAntiVirus/iAntiVirus.app/Applications/avast!.app/Applications/ClamXav.app/Applications/HTTPScoop.app/Applications/Packet Peeper.appIf any of these are found, the malware will skip the rest of its routine and proceed to delete itself.

Downloading the PayloadThe malware connects to the following URL to download its payload:

Any idea what, specifically, this trojan causes your computer to do? My ex-GF seemed to believe she was invincible on a Mac and has recently been spamming my email with ads (*suspicious*) from her email address.

From the linked F-Secure page (which you should really read if you're curious):

Quote:

If infection is successful, the malware will modify the contents of certain webpages displayed by web browsers; the specific webpages targeted and changes made are determined based on configuration information retrieved by the malware from a remote server.

InstallationOn execution, the malware checks if the following path exists in the system:

/Library/Little Snitch/Developer/Applications/Xcode.app/Contents/MacOS/Xcode/Applications/VirusBarrier X6.app/Applications/iAntiVirus/iAntiVirus.app/Applications/avast!.app/Applications/ClamXav.app/Applications/HTTPScoop.app/Applications/Packet Peeper.appIf any of these are found, the malware will skip the rest of its routine and proceed to delete itself.

Downloading the PayloadThe malware connects to the following URL to download its payload:

h t t p : / / 95.215.63.38/counter/%encoded_data%...

Etc., plenty of good info.

Besides the bogus software update PNG (with complete with round leopardish buttons) - it will delete itself if it finds these too:

Quote:

Infection Type 2

In cases where the user did not input their administrator password, the malware checks if the following path exists in the system:

If any of these are found, the malware again skips the rest of its routine and proceeds to delete itself

So basically, its infecting really old macs connected to the internet.

You'd be suprised how many older macs you can find just by doing a quick remote desktop port scan. I see old macs with ARD 2.x all the time - and names like "Joe's G4" responding back.

If you have common sense 101, and a newer mac, you really don't have to worry... the haters will hate, but I see ssh attempts in console on my little mini all day long from China and East Asia... but they'll never get in. Period... OS X is secure, java & adobe and exploitable non apple frameworks, not so much.... just don't enter your password in anything if you're not sure of the source.

Laugh all you want. - this isnt a virus - its a stupid JAVA expliot... Would I leave a MS windows box open on the internet 24/7... HELL NO.

I really feel sad about people when they post "Mac does not get virus, just troyans"

Are people really that dumb? A troyan can be considered a virus and its actually worst then a virus. Both are still computer codes to make something you do not want. A virus could delete data in the past or just play tricks like hijack your mouse. A troyan is 100 times worst. It can spy every keystroke you type, every web page you open, every login of every website, every CC card and payment you make, send Spam from your PC or just be part of a botnet that makes DOS attacks.

So when Mac fanboys say "We do not get Viruses, just malware" its like saying "Im not sick, Im just not healthy"

Do Mac fanboys really have an IQ of 10 to actually feel better by saying this?

Any computer systems can be infected and become insecure. Mostly it depends on the user, but other factors rely on the code of software running on the machine.

So, yes Mac are insecure just like Windows is and just Linux is. Every computer system can be cracked, hacked and or infected with enough motivation.

I don't believe this story. 600K. Please. Antivirus "experts" and companies want macs to be infected so bad because it's their business model & they don't make much money off of Mac owners as they have PC owners for so long. I don't think Macs are totally immune but I don't believe 600K. Let's prove there's 600 infected first. And maybe the proof could come from someone whose livelihood doesn't depend on it.

the malware installs itself after you visit a compromised or malicious webpage

It works in a roundabout way. There's no simple way to run third party code on an iOS device that isn't jailbroken (without finding another hack to do so) then it works. The app store creates a scenario where the whole device is more secure.

Of course, once security flaws start to be found in iOS (and they will) app makers will start pushing apps that try to hide it. But Apple is in a pretty secure position for now.